茫然传输（Oblivious Transfer）

茫然传输（Oblivious Transfer）

“茫然传输”是安全计算协议的基本构件，并且是固有的非对称基元。Impagli-azzo和Rudich（1989）表明，从OT减少到对称密钥原语（单向函数，PRF）意味着P != NP。 但是，正如Beaver（1996）首次观察到的那样，批量执行OT只需要少量的公钥操作。Beaver的结构非黑盒，因为PRF需要表示为电路并需要评估为MPC。 因此，Beaver的结果主要具有理论意义。Ishai等（2003年）通过提出一个非常高效的批处理OT极大地改变了事务状态，该批处理OT只需要κ密钥用于整个批处理，每个OT需要两个或三个散列。

Oblivious Transfer, defined in Section 2.4, is an essential building block for secure computation protocols, and an inherently asymmetric primitive. Impagli-azzo and Rudich (1989) showed that a reduction from OT to a symmetric-key primitive (one-way functions, PRF) implies that P,NP. However, as first observed by Beaver (1996), a batched execution of OT only needs a small number of public key operations. Beaver’s construction was non-black-box in the sense that a PRF needed to be represented as a circuit and evaluated as MPC. As a consequence, Beaver’s result was mainly of theoretical interest. Ishai et al. (2003) changed the state of affairs dramatically by proposing an extremely efficient batched OT which only required κ of public key operations for the entire batch and two or three hashes per OT.

基于公钥的半诚实模型OT（Public key-based semi-honest OT）

我们从半诚实的模型开始，基于基本的基于公钥的OT。图3.7所示的结构确实非常简单。
结构的安全性假定存在公开密钥加密，并且能够对随机的公开密钥进行采样而无需获取相应的秘密密钥。该方案在半诚实模型中是安全的。
发送方S仅看到R发送的两个公共密钥，因此在不知道秘密密钥的情况下，无法以高于12的概率预测生成了哪个密钥。因此，可以简单地通过发送两个随机选择的公共密钥来模拟S的视图。
接收器R看到两种加密，并具有一个密钥，只能解密其中一种。给定R的输入和输出，R的视图也很容易模拟，Sim S将生成公钥对和随机公钥，并将模拟的接收密文设置为1）在生成的密钥对下对接收到的秘密进行加密，并2）在随机选择的密钥下加密零。由于与实际执行的区别仅在于第二次加密，因此进行了仿真，并且由于加密安全性的保证，区分符也不会区分零和另一值的加密。请注意，此半诚实的协议不提供针对恶意发送者的安全性-发件人S可以简单地生成两个公私钥对（sk 0，pk 0）和（sk 1，pk 1）并发送（pk 0，pk 1）到R，然后解密两个接收到的密文，以学习x 1和x 2。

We start with the basic public key-based OT in the semi-honest model. Theconstruction, presented in Figure 3.7, is very simple indeed.
The security of the construction assumes the existence of public-key encryption with the ability to sample a random public key without obtaining the corresponding secret key. The scheme is secure in the semi-honest model.
The Sender S only sees the two public keys sent by R, so cannot predict with probability better than 12 which key was generated without the knowledge of the secret key. Hence, the view of S can be simulated simply by sending two randomly-chosen public keys.
The Receiver R sees two encryptions and has a secret key to decrypt only one of them. The view of R is also easily simulated, given R’s input and output.Sim S will generate the public key pair and a random public key, and set the simulated received ciphertexts to be 1) the encryption of the received secret under the generated keypair and 2) the encryption of zero under the randomly chosen key. The simulation goes through since the difference with the real execution is only in the second encryption, and distinguisher will not be a tell apart the encryption of zero from another value due to the encryption security guarantees. Note that this semi-honest protocol provides no security against a malicious sender—the Sender S can simply generate two public-private key pairs, (sk 0 , pk 0 ) and (sk 1 , pk 1 ) and send (pk 0 , pk 1 ) to R, and decrypt both received ciphertexts to learn both x 1 and x 2 .

Public Key Operations in OT

1. Beaver’s non-black-box construction.
2. Reducing the number of public key operations.
3. Coding interpretation and cheaper 1 -out-of- 2 l OT.

---

来源《A Pragmatic Introduction to Secure Multi-Party Computation》